Is it possible to overwrite session id? #135
-
|
Hi there! I want to create a debug handler that takes session ID as an argument and sets it to the current session. One solution I can think of is to find the session in session store and reset session cookie with the id and other data from the session. Is there a cleaner approach? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Can you go into more detail regarding what your goal in doing this is? One reason this isn't exposed is security: how the session ID is generated is important. Usually we'd use cycle_id to change the session ID (for example, to prevent session fixation attacks). |
Beta Was this translation helpful? Give feedback.
-
|
Of course. As I said, the reason is debugging. I wanted to have a way to obtain another session and interact with the server as the original user of the session. I can certainly think of two use cases:
Actually, doing so was pretty easy, so I think I can close the ticket. Here is my solution just in case: async fn set_session(
State(state): State<Arc<ServerState>>,
Path(id): Path<Uuid>,
jar: CookieJar,
) -> ServerResult {
warn!("set_session is invoked");
let Some(session) = state
.db
.load(&Id(id))
.await
.map_err(|e| anyhow!("failed to load session {id}: {e}"))?
else {
return Ok(not_found().await);
};
let cookie = Cookie::build((crate::server::session::NAME, id.to_string()))
.path("/")
.expires(session.expiry_date)
.http_only(true)
.secure(crate::server::session::SECURE)
.same_site(crate::server::session::SAME_SITE);
Ok((jar.add(cookie), Redirect::to("/debug/session")).into_response())
} |
Beta Was this translation helpful? Give feedback.
-
|
It sounds like you're looking for a way to impersonate a user. In that case, you can simply use the session ID directly by setting Cookie: id={some-session-id}. If you do this on the request, tower-sessions will see the provided ID and use it without any extra work on your part. Note that if you want to do this in a middleware or handler, those will need to sit somewhere in your route graph below tower-sessions such that tower-sessions will receive the request with the desired ID. |
Beta Was this translation helpful? Give feedback.
It sounds like you're looking for a way to impersonate a user. In that case, you can simply use the session ID directly by setting Cookie: id={some-session-id}. If you do this on the request, tower-sessions will see the provided ID and use it without any extra work on your part. Note that if you want to do this in a middleware or handler, those will need to sit somewhere in your route graph below tower-sessions such that tower-sessions will receive the request with the desired ID.